@angular/platform-server: domino: Angular Platform Server: Cross-Site Scripting via unescaped `</noscript>` tags in dynamic content
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. A flaw was found in @angular/platform-server. This Cross-Site Scripting (XSS) vulnerability exists in its DOM emulation dependency, domino, when handling the content of `<noscript>` elements during server-side rendering. A remote attacker could exploit this by injecting unescaped closing `</noscript>` tags within dynamic text content. This allows for the execution of arbitrary code in the user's browser context, potentially leading to information disclosure or other malicious activities. This flaw has an Important impact as @angular/platform-server's DOM emulation dependency (domino) in Red Hat products does not properly escape closing noscript tags during server-side rendering. A remote unauthenticated attacker can inject a crafted closing noscript tag into dynamic text content, which is serialized unescaped into the output HTML. When a user visits the affected page, the injected script executes in their browser context, enabling session hijacking, credential theft, or arbitrary actions on behalf of the user. Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Weakness: CWE-79. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.